RE: LDAPv3 a nightmare

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson

> When (not if) you gain root access on the LDAP server, you're
> screwed if not
> using Kerberos since all passwords are in the LDAP database
> so you could just
> dump the database, take all the passwords and then crack them.
>
> If you have Kerberos, it won't help with root access, since
> there is no passwords
> in the LDAP database, and the Kerberos database isn't
> "de-crackable" (?).

What in the world makes you think the Kerberos database isn't crackable? The
freeware Crack utility is quite efficient at processing a KDC database, I use
it all the time to check password quality of Kerberos accounts.

Encrypted databases are no protection against root hacks because the system
itself must be able to decrypt the database in order to utilize it. The key
that is needed for decrypting the database must be stored in a fixed location
in order for the software to use it. Anyone who knows enough to break into
the system in the first place can easily locate the key. Encrypted databases
only provide protection against casual discovery (e.g. leaking a password in
an error message).

You cannot easily reverse a Kerberos key back into a plaintext password, but
there's no need to do so either; having the key is enough.

> > The machine security is the most important;
>
> There we completley agree!

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support